ok, whew
Thanks for making this exploit, it seems like its the worst for hackers
EDIT: Anti-exploit (silly me)
*Anti-exploit
You’re welcome. I hate exploiters with a passion. Whenever I can share knowledge with the community on a concrete, one-size-fits-all solution, I feel it is my duty to do so.
2 Likes
Very interesting indeed, however can an exploiter find a way to bypass this?
Would you not need a whitelist if you are giving a player a tool through tool.Parent = character or would you need to do tool.Parent = plr plr.Humanoid:EquipTool(tool)?
This is roblox we’re talking about here 
let’s be honest this prob won’t even get patched for a long time and I HIGHLY doubt they would put in effort to ban users over this.
1 Like
You don’t need to whitelist if you’re giving a brand new tool to a character. This script detects if a tool someone else had is given to a new person.
That’s why I said if you have to do that, clone the tool and parent it and delete the old tool.
This is a good approach to patching the exploit and should do the job well.
I’ve taken a similar approach myself to patching it but with some minor differences.
Including the main stuff like watching StarterGear and characters and other dupe points, I am also tracking when new tools are added to a players backpack and then making sure those tools only are parented to the players character and/or back to their own backpack.
If the tool is parented elsewhere it is assumed to be a malicious reparent and destroyed, with the original tool owner dealt with by the server. The reason for this additional system is as it seems malicious actors are able to parent these tools to other places too.
This approach seems to work and we’ve had no instances of successful tool exploits occurring in our games since the installation of this.
Hopefully Roblox will patch this completely so we won’t need to do these checks ourselves, this was plaguing my games for a while now and I had no clue how they were doing it for the longest time.
2 Likes
Tools are a completely silly mess. I came across this exact same exploit wherein exploiters could flood the starterpack with malicious tools and essential cause the anticheat to explode. It’s completely laughable.
This is the least educated post I have ever seen since crosswoods was happening.
Wrong and wrong. It’s been around for ages, and it’s not an exploit. It’s literally part of Roblox’s networking systems and has been exploitable for years, it’s just nobody has actually been publically doing anything with it until recently (and even then it’s still tightly under wraps due to how abusable it is for some things such as faking purchases in games)
Users could already (locally) do this for years with exploits. I haven’t looked too far into raknet abuse, however from what I know I don’t believe that this would be possible to replicate to the server in the way you’re describing it. (I may be wrong here, so please correct me with sources if you can as I would love to learn more)
Again, Raknet isn’t an exploit, and who is the “they” in this case?
The things you’re describing (skydive, dastbring, etc) were already possible with regular scripts, and I believe still are. None of those needed interaction with Raknet.
No idea what custom tool system means here considering all tools are custom by default (unless you’re talking about using free models or making your own scripts?) and not to mention those fling things and such all come down to how the tools are coded
I took your bait and got the model to see how bad it was considering how uneducated this thread was so far.
From what I can gather, this could be abused to falsely ban players by simply transferring the tool to their character, easily done by dropping the tool in a place where they can pick it up (as last I checked that can be modified client side, the server will still think it cant be dropped meaning it can still ban whoever picks it up) or simply equipping it to them by other means.
Plus, as you already said, cloning the tool will defeat this apparent anticheat entirely.
I looked into it, this sure as hell isn’t using Raknet as there is currently only like one or two executors that actually let you interact with any Raknet features, and this is a standalone script that apparently works on anything. I’d be genuinely willing to put money down that this script you mentioned isn’t actually doing anything with Raknet to begin with. Heck, if the replies are true, parts of this script are old as time itself.
They don’t, and you won’t.
10 Likes
Yeah… You are focusing on one vulnerability which can be found by raknet exploit… Raknet is just fancy word for networking and there is alot of other vulnerabilities… It was for example possible to shutdown people’s clients in games by rnet.shutdown() (source: Trust me bro).
Exploit with skydiving is absolutely seperate exploit, which is not limited to skydiving.
It is exploit which allows you to claim target’s network ownership (means you can mostly do anything you want with target).
There is feature to send packages and roblox logs those, so yes exploiters can get banned IF they send random packages.
Raknet is the middle-man api used to send/receive information to/from the roblox server. It’s what enables a roblox game to be multiplayer. They have billions of checks in place for what can be sent out, but every now and then, something slips through this filter. It happens all the time.
The script that re-parents tools is based on a bug that already exists, and can be achieved from a regular localscript in a game (I won’t publicly share this script because that would be bad). This has existed privately for a few years, and only lately was it leaked to the public
The exploit you must be referring to is “ScriptWare”. Unless you’re referring to a private exploit called “Celery”, which has an api in lua that provides full control over everything being sent to the server. This rarely offers more possibilities than using a regular script, but it’s not really “abusing” anything that isn’t already there. It really just allows you to use less lua code, to achieve the same thing. The script can be written to work with any exploit – it’s just easier to do it using Celery and its networking api.
We can conclude it’s nothing more than a bug in roblox’s filter, since it can be done without any exploits (just a localscript in a game). All we can do is report it to Roblox and wait for a patch to be made
This is neither new nor Raknet. Raknet is the API Roblox uses to handle packets/packet information.
There have been exploits regarding the Player’s Character and things parented under it for years. For instance, exploiters have and still can delete instances under their character model freely. This has, IIRC, been used to give a form of pseudo godmode when a script checks for missing limbs or such.
This tool exploit is more powerful, but it isn’t new. It’s only being used more now due to, as far as I can tell, three reasons:
A. More free and powerful scripts are utilizing it
B. It’s more universal than exploiting game-specific things like unsafe remotes.
C. I haven’t seen a single (although it may exist) Anti-Cheat on this forum protect against it. (I’ve seen multiple tool use patched, but not this)
Due to these reasons, it’s a particularly favorable exploit to capitalize on.
Although you are not entirely incorrect, you are being incredibly unfair.
This issue, although pervasive, hasn’t been tackled by many public Anti-Cheats, or even been discussed much in Anti-Cheat creation discussion.
So, even with its mistakes, this post does well in making developers who were previously unaware, or new, understand these capabilities. If the code is subpar, good developers will simply modify it to fix these issues. If said developers are not yet at that level, then they have other pressing issues to also worry about (movement hacks, unsafe remotes, etc).
You seem to forget that posts can be edited, and that the author can rectify their mistakes and improve their script. I don’t get why there’s so much venom in your rhetoric.
This clearly isn’t constructive criticism, as instead of simply informing someone of their mistakes and encouraging improvement, you are simply tearing down their statements and credibility. That isn’t helpful.
1 Like
I have updated the title of this post as well as the content in it since people have completely missed the point. This post was made to educate people of a new (by new, I mean recently released on v3rmillion where this wasn’t a huge deal before) exploit that I learned how to patch- and how to go about patching it themselves.
I also updated the model/source code due to some small issues with it.
I want people’s games to be protected against these bad actors. If you don’t want or don’t need this information, move on- there’s nothing here for you.
1 Like
Could you create this post as a bug/exploit report, instead of just as a resource, so it gets seen by Roblox staff?
I’m seeing vectors by which the code you provided could be used to maliciously ban other players if the exploit you describe in OP is actually possible. For example, if a player has a sanctioned tool in their StarterGear, then reparents it to another player’s StarterGear, you’re giving the exploiter the power to ban other players. Double check those yields—wait() statements will skip over one or more entire replication frame, so packets can trivially be sent by an exploiter to reparent their StarterPack to another player’s StarterPack, and ban the other player instead of themselves.
You should really report this exploit on the proper forum (#bug-reports:engine-bugs) if you believe it’s still working and reproducable. You can include the v3rm files in a private message to Roblox staff there.
4 Likes
How does this actually work?? Reparenting tools from the client doesnt replicate at all, so Im wondering what is going on here?
With this exploit it does. I don’t really understand how- but I witnessed it firsthand in a controlled environment (blank baseplate, tool with no scripts)
after having encountered it in my game just now, i can vouch that this definitely exists and is an ongoing issue, it seems to not be possible outside of using starter gear though… really bizarre that something like this is exploitable in such a way, seems like a massive oversight by roblox (one of many more)
How have I never noticed this? Is this affecting larger games?